Uber Agrees to 20 Years of Privacy Audits by the FTC

Long plagued by privacy issues, Uber has agreed to privacy audits for the next 20 years after the FTC found the ride-sharing company at fault for harming consumers.

There are twin transgressions, in the FTC’s eyes: First, the ride-hailing start-up had a system for monitoring employee access to consumer information, but it stopped using it after less than a year. Also, hackers stole more than 100,000 driver names and license numbers in a 2014 data breach, which the FTC said could have been easily averted using multifactor authentication. Combined, these amount to "deceptive privacy and data security claims,” the FTC said.

"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said Maureen Ohlhausen, acting chairman of the FTC. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."

In addition to the audits, Uber will be implementing a new privacy program as part of the settlement.

Some noted that the requirements from the States are changes that Uber would have had to make to continue operating in Europe anyway.

"Uber may offer cheap cab fares but underneath the surface is a company plagued by reports of sexism, a massive data breach and an unhealthy interest in the journeys taken by a journalist,” Lee Munson, security researcher for Comparitech.com, said via email. "While such an agreement with the FTC may sound incredibly arduous, [but] executives may be rubbing their hands together, safe in the knowledge that the FTC will point them in the right direction long before any EU nations start handing out fines of up to 4% of an organization’s annual turnover for nightmarish privacy issues."

Trust and privacy go hand in hand, another researcher told us.

“In the age of digital business and increasing cyber-risk, it’s critical for senior executives and boards to put the building of trust at the top of the priorities list,” Malcolm Harkins, chief security and trust officer at Cylance, said via email. “Trust is a function of two things: Competence and character. While I respect the work of Uber’s more recent executive hires, this settlement may be an indication of things that were lacking to deliver that trust earlier in Uber’s history. Not only for security, but for privacy, all organizations should have a set of principles in place to guide the placement of the anchor points for security and privacy to deliver trust. Equally important is the right governance model to oversee the evolution of trust throughout the company.”